I need some help with best practice for a subordinate CA and
distributing the CA certificate(s).
If I have a root cert A, which issues a subordinate CA B, what does an
SSL client need to trust in order to communicate with a server
certificate issued by B? Does it only need to know about and trust B or
does it need to know and trust A as well?
I ask because I see different behavior in testing ldapsearch in RHEL-5
(openSSL) and RHEL-6 (NSS).
RHEL-5 requires the entire cert chain, RHEL-6 requires just the leaf.
Currently IPA only distributes the IPA CA, not the rest of the chain.
The answer will impact a CVE we're working on, so our need is urgent and
the word is mum.
thanks
rob